Why do users trust the wrong messages? A behavioural model of phishing
- Authors: Watters, Paul
- Date: 2009
- Type: Text , Conference paper
- Relation: Paper presented at 2009 eCrime Researchers Summit, eCRIME '09, Tacoma, Washington : 20th-21st October 2009 p. 1-7
- Full Text:
- Description: Given the rise of phishing over the past 5 years, a recurring question is why users continue to fall for these scams? Various technical countermeasures have been proposed to try and counter phishing, and none have yet comprehensively succeeded in preventing users from becoming victims. This paper argues that an explicit model of user psychology is required to understand user behaviour in (a) processing phishing e-mails, (b) clicking on links to phishing websites, and (c) interacting with these websites. Many users engage in e-mail and web activity with an inappropriately high level of trust: users are constantly rewarded by their online interactions, even where there is a low level of formalised trust between the sending and receiving parties, eg, if an e-mail claims to be sent from a bank, then it must be so, even if there has been no a priori exchange of credentials mediated by a trusted third party. Previously, mathematical models have been developed to predict trust established and maintenance based on reputation scores (e.g., Tran et al [1, 2]). This paper considers two inter-related questions: (a) can we model the behaviour of users learning to trust, based on non-associative models of learning (habituation and sensitisation), and (b) can we then locate this behavioural activity in a broader psychological model with a view to identifying potential countermeasures which might circumvent learned behaviour? © 2009 Crown.
- Description: Given the rise of phishing over the past 5 years, a recurring question is why users continue to fall for these scams? Various technical countermeasures have been proposed to try and counter phishing, and none have yet comprehensively succeeded in preventing users from becoming victims. This paper argues that an explicit model of user psychology is required to understand user behaviour in (a) processing phishing e-mails, (b) clicking on links to phishing websites, and (c) interacting with these websites. Many users engage in e-mail and web activity with an inappropriately high level of trust: users are constantly rewarded by their online interactions, even where there is a low level of formalised trust between the sending and receiving parties, eg, if an e-mail claims to be sent from a bank, then it must be so, even if there has been no a priori exchange of credentials mediated by a trusted third party. Previously, mathematical models have been developed to predict trust established and maintenance based on reputation scores (e.g., Tran et al [1, 2]). This paper considers two inter-related questions: (a) can we model the behaviour of users learning to trust, based on non-associative models of learning (habituation and sensitisation), and (b) can we then locate this behavioural activity in a broader psychological model with a view to identifying potential countermeasures which might circumvent learned behaviour? © 2009 Crown.
- Authors: Watters, Paul
- Date: 2009
- Type: Text , Conference paper
- Relation: Paper presented at 2009 eCrime Researchers Summit, eCRIME '09, Tacoma, Washington : 20th-21st October 2009 p. 1-7
- Full Text:
- Description: Given the rise of phishing over the past 5 years, a recurring question is why users continue to fall for these scams? Various technical countermeasures have been proposed to try and counter phishing, and none have yet comprehensively succeeded in preventing users from becoming victims. This paper argues that an explicit model of user psychology is required to understand user behaviour in (a) processing phishing e-mails, (b) clicking on links to phishing websites, and (c) interacting with these websites. Many users engage in e-mail and web activity with an inappropriately high level of trust: users are constantly rewarded by their online interactions, even where there is a low level of formalised trust between the sending and receiving parties, eg, if an e-mail claims to be sent from a bank, then it must be so, even if there has been no a priori exchange of credentials mediated by a trusted third party. Previously, mathematical models have been developed to predict trust established and maintenance based on reputation scores (e.g., Tran et al [1, 2]). This paper considers two inter-related questions: (a) can we model the behaviour of users learning to trust, based on non-associative models of learning (habituation and sensitisation), and (b) can we then locate this behavioural activity in a broader psychological model with a view to identifying potential countermeasures which might circumvent learned behaviour? © 2009 Crown.
- Description: Given the rise of phishing over the past 5 years, a recurring question is why users continue to fall for these scams? Various technical countermeasures have been proposed to try and counter phishing, and none have yet comprehensively succeeded in preventing users from becoming victims. This paper argues that an explicit model of user psychology is required to understand user behaviour in (a) processing phishing e-mails, (b) clicking on links to phishing websites, and (c) interacting with these websites. Many users engage in e-mail and web activity with an inappropriately high level of trust: users are constantly rewarded by their online interactions, even where there is a low level of formalised trust between the sending and receiving parties, eg, if an e-mail claims to be sent from a bank, then it must be so, even if there has been no a priori exchange of credentials mediated by a trusted third party. Previously, mathematical models have been developed to predict trust established and maintenance based on reputation scores (e.g., Tran et al [1, 2]). This paper considers two inter-related questions: (a) can we model the behaviour of users learning to trust, based on non-associative models of learning (habituation and sensitisation), and (b) can we then locate this behavioural activity in a broader psychological model with a view to identifying potential countermeasures which might circumvent learned behaviour? © 2009 Crown.
The seven scam types: Mapping the terrain of cybercrime
- Stabek, Amber, Watters, Paul, Layton, Robert
- Authors: Stabek, Amber , Watters, Paul , Layton, Robert
- Date: 2010
- Type: Text , Conference proceedings
- Full Text:
- Description: Threat of cybercrime is a growing danger to the economy. Industries and businesses are targeted by cyber-criminals along with members of the general public. Since cybercrime is often a symptom of more complex criminological regimes such as laundering, trafficking and terrorism, the true damage caused to society is unknown. Dissimilarities in reporting procedures and non-uniform cybercrime classifications lead international reporting bodies to produce incompatible results which cause difficulties in making valid comparisons. A cybercrime classification framework has been identified as necessary for the development of an inter-jurisdictional, transnational, and global approach to identify, intercept, and prosecute cyber-criminals. Outlined in this paper is a cybercrime classification framework which has been applied to the incidence of scams. Content analysis was performed on over 250 scam descriptions stemming from in excess of 35 scamming categories and over 80 static features derived. Using hierarchical cluster and discriminant function analysis, the sample was reduced from over 35 ambiguous categories into 7 scam types and the top four scamming functions - identified as scamming business processes, revealed. The results of this research bear significant ramifications to the current state of scam and cybercrime classification, research and analysis, as well as offer significant insight into the business processes and applications adopted by scammers and cyber-criminals. © 2010 IEEE.
- Authors: Stabek, Amber , Watters, Paul , Layton, Robert
- Date: 2010
- Type: Text , Conference proceedings
- Full Text:
- Description: Threat of cybercrime is a growing danger to the economy. Industries and businesses are targeted by cyber-criminals along with members of the general public. Since cybercrime is often a symptom of more complex criminological regimes such as laundering, trafficking and terrorism, the true damage caused to society is unknown. Dissimilarities in reporting procedures and non-uniform cybercrime classifications lead international reporting bodies to produce incompatible results which cause difficulties in making valid comparisons. A cybercrime classification framework has been identified as necessary for the development of an inter-jurisdictional, transnational, and global approach to identify, intercept, and prosecute cyber-criminals. Outlined in this paper is a cybercrime classification framework which has been applied to the incidence of scams. Content analysis was performed on over 250 scam descriptions stemming from in excess of 35 scamming categories and over 80 static features derived. Using hierarchical cluster and discriminant function analysis, the sample was reduced from over 35 ambiguous categories into 7 scam types and the top four scamming functions - identified as scamming business processes, revealed. The results of this research bear significant ramifications to the current state of scam and cybercrime classification, research and analysis, as well as offer significant insight into the business processes and applications adopted by scammers and cyber-criminals. © 2010 IEEE.
The case for a consistent cyberscam classification framework (CCCF)
- Stabek, Amber, Brown, Simon, Watters, Paul
- Authors: Stabek, Amber , Brown, Simon , Watters, Paul
- Date: 2009
- Type: Text , Conference paper
- Relation: Paper presented at UIC-ATC 2009 - Symposia and Workshops on Ubiquitous, Autonomic and Trusted Computing in Conjunction with the UIC'09 and ATC'09 Conferences, Brisbane : 7th-9th July 2009 p. 525-530
- Full Text:
- Description: Cyberscam classification schemes developed by international statistical reporting bodies, including the Bureau of Statistics (Australia), the Internet Crime Complaint Center (US), and the Environics Research Group (Canada), are diverse and largely incompatible. This makes comparisons of cyberscam incidence across jurisdictions very difficult. This paper argues that the critical first step towards the development of an inter-jurisdictional and global approach to identify and intercept cyberscams - and prosecute scammers - is a uniform classification system. © 2009 IEEE.
- Authors: Stabek, Amber , Brown, Simon , Watters, Paul
- Date: 2009
- Type: Text , Conference paper
- Relation: Paper presented at UIC-ATC 2009 - Symposia and Workshops on Ubiquitous, Autonomic and Trusted Computing in Conjunction with the UIC'09 and ATC'09 Conferences, Brisbane : 7th-9th July 2009 p. 525-530
- Full Text:
- Description: Cyberscam classification schemes developed by international statistical reporting bodies, including the Bureau of Statistics (Australia), the Internet Crime Complaint Center (US), and the Environics Research Group (Canada), are diverse and largely incompatible. This makes comparisons of cyberscam incidence across jurisdictions very difficult. This paper argues that the critical first step towards the development of an inter-jurisdictional and global approach to identify and intercept cyberscams - and prosecute scammers - is a uniform classification system. © 2009 IEEE.
Using differencing to increase distinctiveness for phishing website clustering
- Layton, Robert, Brown, Simon, Watters, Paul
- Authors: Layton, Robert , Brown, Simon , Watters, Paul
- Date: 2009
- Type: Text , Conference paper
- Relation: Paper presented at UIC-ATC 2009 - Symposia and Workshops on Ubiquitous, Autonomic and Trusted Computing in Conjunction with the UIC'09 and ATC'09 Conferences, Brisbane : 7th-9th July 2009 p. 488-492
- Full Text: false
- Description: Phishing webpages present a previously underused resource for information on determining provenance of phishing attacks. Phishing webpages aim to impersonate a legitimate website in order to trick their potential victims into revealing their confidential data, such as usernames and passwords. However different phishing webpages often contain small differences and these differences can provide a great deal of evidence on the provenance of phishing attacks. When impersonating a webpage, there is often a large amount of 'redundant' information, as much of the original, impersonated website is found in phishing websites, making phishing websites across different attacks very similar. In order to attempt to overcome this issue, a diff can be used which takes the phishing and original websites as input and returns the differences between the two. These differences present a new view on the data that is previously unused and presents a novel way to increase the ability of clustering algorithms to find good, distinct and separated clusters within the data. The research presented here outlines this diff process and shows that for the data used, comparable results were obtained while the dimensionality of the dataset was reduced. This reduction in size allows for clustering algorithms to complete faster, due to the reduced dimensionality of the dataset. © 2009 IEEE.
Determining provenance in phishing websites using automated conceptual analysis
- Layton, Robert, Watters, Paul
- Authors: Layton, Robert , Watters, Paul
- Date: 2009
- Type: Text , Conference paper
- Relation: Paper presented at 2009 eCrime Researchers Summit, eCRIME '09, Tacoma, Washington : 20th-21st October 2009 p. 1-7
- Full Text:
- Description: Phishing is a form of online fraud with drastic consequences for the victims and institutions being defrauded. A phishing attack tries to create a believable environment for the intended victim to enter their confidential data such that the attacker can use or sell this information later. In order to apprehend phishers, law enforcement agencies need automated systems capable of tracking the size and scope of phishing attacks, in order to more wisely use their resources shutting down the major players, rather then wasting resources stopping smaller operations. In order to develop these systems, phishing attacks need to be clustered by provenance in a way that adequately profiles these evolving attackers. The research presented in this paper looks at the viability of using automated conceptual analysis through cluster analysis techniques on phishing websites, with the aim of determining provenance of these phishing attacks. Conceptual analysis is performed on the source code of the websites, rather than the final text that is displayed to the user, eliminating problems with rendering obfuscation and increasing the distinctiveness brought about by differences in coding styles of the phishers. By using cluster analysis algorithms, distinguishing factors between groups of phishing websites can be obtained. The results indicate that it is difficult to separate websites by provenance without also separating by intent, by looking at the phishing websites alone. Instead, the methods discussed in this paper should form part of a larger system that uses more information about the phishing attacks.
- Authors: Layton, Robert , Watters, Paul
- Date: 2009
- Type: Text , Conference paper
- Relation: Paper presented at 2009 eCrime Researchers Summit, eCRIME '09, Tacoma, Washington : 20th-21st October 2009 p. 1-7
- Full Text:
- Description: Phishing is a form of online fraud with drastic consequences for the victims and institutions being defrauded. A phishing attack tries to create a believable environment for the intended victim to enter their confidential data such that the attacker can use or sell this information later. In order to apprehend phishers, law enforcement agencies need automated systems capable of tracking the size and scope of phishing attacks, in order to more wisely use their resources shutting down the major players, rather then wasting resources stopping smaller operations. In order to develop these systems, phishing attacks need to be clustered by provenance in a way that adequately profiles these evolving attackers. The research presented in this paper looks at the viability of using automated conceptual analysis through cluster analysis techniques on phishing websites, with the aim of determining provenance of these phishing attacks. Conceptual analysis is performed on the source code of the websites, rather than the final text that is displayed to the user, eliminating problems with rendering obfuscation and increasing the distinctiveness brought about by differences in coding styles of the phishers. By using cluster analysis algorithms, distinguishing factors between groups of phishing websites can be obtained. The results indicate that it is difficult to separate websites by provenance without also separating by intent, by looking at the phishing websites alone. Instead, the methods discussed in this paper should form part of a larger system that uses more information about the phishing attacks.
The effectiveness of using static features in identifying scam genres
- Authors: Stabek, Amber
- Date: 2010
- Type: Text , Thesis , Masters
- Full Text:
- Description: Thesis details a cybercrime classification framework stemming from a mixed methodological approach, which is both top down and bottom up and is designed to be multidisciplinary and adaptable across sectors.
- Description: Master by Research of Mathematical Sciences
- Description: Variation in scam classification is regularly identified as a primary cause of discrepancy in victim report data resulting in unsuccessful scam identification and insufficient rates of interception by law enforcement, which results in the low prosecution rate of scammers. The result of such discrepancies lead to complex concerns, such as the under reporting of scam incidence, and reduced rates of successful follow up by investigative and enforcement agencies consequential to difficulties in making correct referrals. Without a shared and common lexicon of scam labels and descriptions, communication between investigative agencies and cross-border cooperation is obstructed. With no compatible comprehension of the scam lexicon, timely progression in scam-case management leading to the identification, tracking and interception of scammer communications cannot be realised. Ambiguities leading to interpretational impedances are aiding scammers by enabling their scams in cross-jurisdictional and multi-national platforms. If the wide variety of known scam types could be condensed to recognisable and traceable instances, the business models that scammers use could be identified and future scamming events predicted, monitored, and interrupted. Following a mixed methodology, this research aims to address some of these concerns. This is achieved by clustering scam descriptions and partitioning them into scam types, called scam genres. The result of which reveals homogeneous groups of scam cases and allows for the assessment of the effectiveness of using static features in identifying scam types. Second to this, identification of the most suitable model for reducing scam cases into the fewest number of clusters with the least number of scam cases within in each cluster at an accuracy level of at least 95% is achieved. Through the use of hierarchical clustering, this research grouped publically available scams into homogeneous clusters of scam genres. Two-hundred and seventy-seven scams from 38 separate categories of scam classification were condensed into as few as 7-clusters of scam genre. Following a mixed methodological, grounded theoretical approach and using discriminant function analysis, 82 static features were derived from the 277 scam descriptions analysed. Of the 82 static features derived, it was concluded that only 68 significantly predicted scam type and explained 95% of the total variation found in scam case assignment. The most significant static features determined to be crucial to any scamming campaign and useful in identifying the type of scam genre a scam case belongs to were; what the scam offered, the role of the victim, the goal of the scammer and the method of scam introduction. The results of this research provide empirical evidence of the inconsistent use of definitions across jurisdictions in scam descriptions, and will contribute to the development of a uniform lexicon of scamming terminology as well as become foundational to further research on the impact of scams for law enforcement, the public and private sector, the community and the individual.
- Authors: Stabek, Amber
- Date: 2010
- Type: Text , Thesis , Masters
- Full Text:
- Description: Thesis details a cybercrime classification framework stemming from a mixed methodological approach, which is both top down and bottom up and is designed to be multidisciplinary and adaptable across sectors.
- Description: Master by Research of Mathematical Sciences
- Description: Variation in scam classification is regularly identified as a primary cause of discrepancy in victim report data resulting in unsuccessful scam identification and insufficient rates of interception by law enforcement, which results in the low prosecution rate of scammers. The result of such discrepancies lead to complex concerns, such as the under reporting of scam incidence, and reduced rates of successful follow up by investigative and enforcement agencies consequential to difficulties in making correct referrals. Without a shared and common lexicon of scam labels and descriptions, communication between investigative agencies and cross-border cooperation is obstructed. With no compatible comprehension of the scam lexicon, timely progression in scam-case management leading to the identification, tracking and interception of scammer communications cannot be realised. Ambiguities leading to interpretational impedances are aiding scammers by enabling their scams in cross-jurisdictional and multi-national platforms. If the wide variety of known scam types could be condensed to recognisable and traceable instances, the business models that scammers use could be identified and future scamming events predicted, monitored, and interrupted. Following a mixed methodology, this research aims to address some of these concerns. This is achieved by clustering scam descriptions and partitioning them into scam types, called scam genres. The result of which reveals homogeneous groups of scam cases and allows for the assessment of the effectiveness of using static features in identifying scam types. Second to this, identification of the most suitable model for reducing scam cases into the fewest number of clusters with the least number of scam cases within in each cluster at an accuracy level of at least 95% is achieved. Through the use of hierarchical clustering, this research grouped publically available scams into homogeneous clusters of scam genres. Two-hundred and seventy-seven scams from 38 separate categories of scam classification were condensed into as few as 7-clusters of scam genre. Following a mixed methodological, grounded theoretical approach and using discriminant function analysis, 82 static features were derived from the 277 scam descriptions analysed. Of the 82 static features derived, it was concluded that only 68 significantly predicted scam type and explained 95% of the total variation found in scam case assignment. The most significant static features determined to be crucial to any scamming campaign and useful in identifying the type of scam genre a scam case belongs to were; what the scam offered, the role of the victim, the goal of the scammer and the method of scam introduction. The results of this research provide empirical evidence of the inconsistent use of definitions across jurisdictions in scam descriptions, and will contribute to the development of a uniform lexicon of scamming terminology as well as become foundational to further research on the impact of scams for law enforcement, the public and private sector, the community and the individual.
- «
- ‹
- 1
- ›
- »